From bdbfa0dc5b6e15a755306b5b0edfc35cb6b2075b Mon Sep 17 00:00:00 2001
From: Jamil <jamilbk@users.noreply.github.com>
Date: Fri, 15 Dec 2023 17:24:07 -0800
Subject: [PATCH] Prevent DNS sentinel from being used as a fallback resolver
 (#2922)

Prevent the edge case where our DNS sentinel could be used as a fallback
resolver. I didn't observe this in the wild, but we should avoid it in
case.

---------

Co-authored-by: Gabi <gabrielalejandro7@gmail.com>
---
 rust/connlib/clients/shared/src/control.rs | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/rust/connlib/clients/shared/src/control.rs b/rust/connlib/clients/shared/src/control.rs
index fde8e589e..4d7be7ee1 100644
--- a/rust/connlib/clients/shared/src/control.rs
+++ b/rust/connlib/clients/shared/src/control.rs
@@ -2,6 +2,8 @@ use async_compression::tokio::bufread::GzipEncoder;
 use connlib_shared::control::KnownError;
 use connlib_shared::control::Reason;
 use connlib_shared::messages::{DnsServer, GatewayResponse, IpDnsServer};
+use connlib_shared::DNS_SENTINEL;
+use std::net::IpAddr;
 use std::path::PathBuf;
 use std::{io, sync::Arc};
 
@@ -46,11 +48,16 @@ fn create_resolver(
         let Ok(Some(dns_servers)) = callbacks.get_system_default_resolvers() else {
             return None;
         };
-        if dns_servers.is_empty() {
+        let mut dns_servers = dns_servers
+            .into_iter()
+            .filter(|ip| ip != &IpAddr::from(DNS_SENTINEL))
+            .peekable();
+        if dns_servers.peek().is_none() {
+            tracing::error!("No system default DNS servers available! Can't initialize resolver. DNS will be broken.");
             return None;
         }
+
         dns_servers
-            .into_iter()
             .map(|ip| {
                 DnsServer::IpPort(IpDnsServer {
                     address: (ip, DNS_PORT).into(),